Privacy and Information Security In the News -- Week of January 23, 2006

1/23/2006

January 23, 2006


A note about broken links: In the News links to current stories at various news sources on the Internet. Over time, some of the links may become broken when a source removes the stories from its pages. Often you can find the same story at another source by searching the title and author of the article. If you have questions about a link, send us an e-mail by clicking here.

Google's Opposition to Subpoena Draws Praise, but Many Fear the Potential for Evil; Legislation Promised

Newspapers around the country have reacted to the news last week that Google was resisting a subpoena from the United States Department of Justice. The subpoena asked for all search terms used by customers during a one week period, plus information on one million sites indexed by Google. MSN, Yahoo, and America Online have all complied with similar DOJ subpoenas.

Some in the media see Google's resistance as being a public relations boon to Google's image. For example, the editorial writers at the Los Angeles Times point out that,

The big winner in all this stands to be Google. The company's rapid expansion beyond simple Web searches, combined with revelations about the amount of data it stores about individual users, has led critics to accuse Google of violating its informal corporate motto, "Don't be evil." By resisting the feds' subpoena, however, the company has set itself above the search-engine pack — and given users a valuable reminder that searching through the Web leaves a trail.

"A tangled Web," http://www.latimes.com/ news/opinion/ la-ed-google22jan22,0,3090572.story?coll=la-home-oped

Others, however, have focused on a concern for the massive amount of personal information that companies like Google are able to amass about us. In the Washington Post, Leslie Walker writes:

It's one thing for our personal data to be stored on our own computers, which theoretically we could erase (a harder task than it seems, actually) whenever we choose. It's quite another to have so much personal activity logged and analyzed by distant, impersonal Web sites. There is simply no telling how much long-term control we are giving up over our digital reputations in these still-early days of the Web.

"Forgot What You Searched For? Google Didn't," http://www.washingtonpost.com/ wp-dyn/ content/ article/ 2006/01/20/AR2006012001799.html.

The San Francisco Chronicle says that Google "can't have it both ways. If Google continues its data-collection practices - even if they are purely to identify markets for advertising purposes - its records will always be a target for the federal government." "The Allure of Google's Data," http://www.sfgate.com/ cgi-bin/article.cgi?file=/ chronicle/archive/2006/01/20/ EDGEPGPHA61.DTL. The New York Times editorial page makes the same point:

When pressed on privacy issues, Google - whose informal motto is "Don't be evil" - says it can be trusted with this information. But profiling consumers' behavior is potentially profitable for companies. And once catalogued, information can be abused by the government as well. Either way, the individual citizen loses.

"Fishing in Cyberspace," http://www.nytimes.com/2006/01/21/opinion/21sat2.html.

Blogger Ed Felton points out that the risk is not just that information will be subject to government subpoena. "As more and more data builds up in the company's disk farms," Felton writes, "the temptation to be evil only increases. Even if the company itself stays non-evil, its data trove will be a massive temptation for others to do evil. A rogue employee, an intruder, or just an accidental data leak could cause huge problems." "Google Video and Privacy," http://www.freedom-to-tinker.com/?p=956

According to the Boston Globe, Representative Edward Markey, of Massachusetts, intends to address these concerns with legislation that would require search firms to destroy records containing personal information after a reasonable period of time. ''Internet search engines provide an extraordinary service," said Markey, ''but the preservation of that service [should] not rely on a bottomless, timeless database that can do great damage despite good intentions." "Google subpoena roils the Web," http://www.boston.com/ news/nation/ articles/ 2006/01/21/ google_subpoena_roils_the_web/

Tracking Cell Phones

Last week, we linked to an article about Internet data brokers and private investigators who are offering to track the movements of cell phone users based on their cell phone records. "Cell Phones Records Used to Track Users; Lawmakers Propose Legislation to Criminalize Sale of Phone Records," In the News, January 20, 2006. David T.S. Fraser at the Canadian Privacy Law Blog points to a service being offered in the United Kingdom that does away with the need to hire a data broker or private investigator or to get a warrant. The service is called "World Tracker." Enter a cell phone number on the service's site and you will get a Google map showing the location of the cell phone within 50 to 500 meters. The company that offers the service in the UK says it plans to offer it soon in the United States through Sprint. "World Tracker turns anyone into a cell phone spy," http://www.engadget.com/ 2006/ 01/ 20/ world-tracker-turns-anyone-into-a-cellphone-spy/

Meanwhile, Verizon Wireless plans to offer a tracking service targeted at parents. According to Red Herring, Verizon's service, to be named "Verizon Chaperone," will allow parents to locate a child who has cell phone equipped with a global positioning chip. In a feature called "Geo-fencing," parents will also be able to receive an e-mail if the cell phone leaves an area the parent designates. Verizon will begin offering the product in May. Red Herring reports that location based services are popular in Korea and Japan, and will be increasingly offered in the United States. "Verizon to Help Track Kids," http://www.redherring.com/ Article.aspx?a=15380&hed=Verizon+to+Help+Track+Kids.

Seattle Customers of Bank of America Report Rash of Thefts from Bank Accounts

The Seattle Post Intelligencer reports that customers of Bank of America in Seattle are reporting a rash of illegal withdrawals from their bank accounts made at ATM machines or through debit card purchases in foreign countries. While the bank would not confirm the report, the Seattle police said it had received an "unusual number of Bank of America-specific thefts." "B of A customers hit by thefts," http://seattlepi.nwsource.com/business/ 256517_cyberfraud21.html

Britain to Unify Computer Networks Housing Medical Records

Britain is launching a program to convert the country's 5,000 computer networks that house medical records into one network that can accessed by over 400,000 doctors, nurses and other health professionals who work for the National Health Service. The project is estimated to cost $10.9 billion and is scheduled to be complete in 2010. A survey of doctors shows that skepticism about the program is growing. Only 17% of respondents said they supported it, compared to 57% who said they opposed it. Seventy-one percent of general practice physicians and 46% of all other physicians said patient records would be less secure after the changes. "U.K. e-health records face skepticism," http://news.monstersandcritics.com/ health/ article_1077962.php/ U.K._e-health_records_face_skepticism


January 24, 2006


U.S. Companies Target with Malicious Trojan Horses

BusinessWeek online has an article about targeted attacks on U.S, companies intended to infect their computers using a targeted Trojan horse. A Trojan horse is malicious code that is hidden in what otherwise looks like an innocuous file. In an example cited by BusinessWeek, the malicious code was attached to an email in a file that purported to be a Microsoft Word document containing a CNN news story of interest to employees of the targeted companies. In another instance, the malicious code was hidden in a document that was designed to look like a request for proposal.

According to BusinessWeek, "Targeted trojans are key because they bypass most antivirus software and entice the recipient to believe the e-mail transmitting the Trojan is legitimate. The damage spreads because once a PC is infected with remote-control software, becoming what's known as a Zombie, it often remains undetected by users. Then, it can be harnessed to vast networks of infected machines, creating a powerful system of hacker-owned PCs called BotNets that spew more malicious code." BusinessWeek quotes the chief technology officer at a messaging security firm, who says that 50% of its clients have Zombie computers. "We're not talking tens of thousands of machines," says Paul Judge, of CipherTrust, "but tens of millions of machines that owners do not have control over. Now, someone has their fingers behind the gate of your organization." "Coming to Your PC's Back Door: Trojans," http://www.businessweek.com/ technology/content/ jan2006/tc20060123_003410.htm?campaign_id=rss_tech

Staying Anonymous While You Search

News that the Department of Justice has subpoenaed records from the major search engines has increased interest in how much information we leave behind when we search for information on the Internet. Wired News has an article that explains how search engines track your search requests and steps you can take to avoid building a trail of Internet searches. "How to Foil Search Engine Snoops," http://www.wired.com/news/technology/0,70051-0.html. The Blog at SearchEngineWatch has a much more detailed, and a bit more technical, article offering suggestions on how to remain anonymous on the Internet. "Protecting Your Search Privacy: A Flowchart To Tracks You Leave Behind," http://blog.searchenginewatch.com/ blog/060123-112156

Donor Database Hacked at Notre Dame

A hacker broke into a computer at the University of Notre Dame's Development Office, getting access to sensitive personal information about donors who made gifts to the University between Nov. 22, 2005 and Jan. 12, 2006. According to the University, the information "may include" social security numbers and credit card account numbers, as well as check images. The University, which refused to estimate the number of donors affected, notified donors by email on Saturday and has sent a letter as well. "Breach may have exposed donor information," http://www.ndsmcobserver.com/ media/paper660/news/2006/01/23/News/ Breach.May.Have.Exposed. Donor.Information-1493395.shtml?norewrite&sourcedomain= www.ndsmcobserver.com

Illinois Sues Data Broker for Selling Cell Phone Records; FTC Says Cell Phone Records Will Not Be Released to Telemarketers

The State of Illinois has brought what it claims is the first action by any state against an information broker for obtaining cell phone records and selling them on the Internet. The State claims a Florida broker obtained cell phone records by defrauding cell phone companies into releasing phone records. "Broker sued for getting, selling phone records," http://www.suntimes.com/ output/news/cst-nws-cell22.html.

In a related story, the Federal Trade Commission has issued a press release that attempts to put to rest a rumor, being spread by e-mail, that cell phone companies will soon release cell phone numbers to telemarketers. "Contrary to the e-mail," says the FTC, "cell phone numbers are NOT being released to telemarketers, and you will NOT soon be getting telemarketing calls on your cell phone." The FTC says it is not necessary to register your cell phone with the Do Not Call Registry. "The Truth about Cell Phones and the Do Not Call Registry," http://www.ftc.gov/opa/2006/01/dnccellphones.htm.

Flap Over Taking DNA Samples from Innocent Minors in Britain

A Conservative Member of Parliament in the United Kingdom has revealed that British Police have taken DNA samples from 24,000 youths who were not cautioned, charged or convicted of a crime. Grant Shapps, MP, uncovered information when he was responding to a constituent's complaint that a DNA sample was taken from his 14-year old son who had been arrested in a case of mistaken identity. According to the Scotsman, DNA samples are taken from all suspects arrested in England, even if they are never charged. When Shapps inquired of the Home Office, he learned that English police had taken samples from 24,000 youngsters between the age of 10 and 18. The United Kingdom has the largest DNA database in the world, which includes samples from 5 percent of the population. "DNA database 'built by stealth'," http://news.scotsman.com/latest.cfm?id=103232006

The story has caused "a huge row" in England. But the Scottish Executive says it wants the policy of retaining DNA samples from suspects who are never convicted to be preserved. The Scotsman reports that the policy has assisted the police in solving crimes: "Since 2001, English and Welsh police have retained the DNA of everyone they arrest. It is estimated that they have solved more than 10,000 offences including 88 murders, 45 attempted murders and 116 rapes, because of data which would otherwise have been thrown away." "Scottish police will be allowed to store DNA profiles," http://news.scotsman.com/scotland.cfm?id=106482006.


January 25, 2006


Stolen Laptops Contained Patient Information

The University of Washington Medical Center reports that two laptops containing sensitive personal information about 1,600 patients of the UW Travel Medical Service were stolen from an off-campus medical center office. The patient information included names, social security numbers, maiden names, birth dates, and diagnoses. One of the two computers was password protected. "UW Medical Center laptops stolen," http://seattlepi.nwsource.com/ local/256774_laptop24.html

Outing Purveyors of Malicious Software

Internet research centers at Harvard Law School and Oxford University plan today to announce a program that identifies companies that produce unwanted adware and other malicious software. The schools are establishing a website (StopBadware.org) that will include a database of statements by people who have been victimized by malicious software. The site will also publish the names of offending companies. The New York Times quotes John G. Palfrey Jr., executive director of the Berkman Center for Internet and Society at Harvard: "We want to turn the spotlight on the bad actors, but also give ordinary users a place to go and get an early warning before they download something that might harm their computer." "New Program Takes Aim at Purveyors of Malicious Software," http://www.nytimes.com/2006/ 01/25/technology/25spy.html.

Living in a Surveillance Society

Author David Shenk has a guest column in today's New York Times that discusses the growing use of surveillance in our society. According to Shenk, "We are, without question, headed into a world where - mostly by our choice - the minute details of our bodies, lives and homes will be routinely tracked and shared, with potential for more convenience and safety but also abuse." "A Growing Web of Watchers Builds a Surveillance Society," http://www.nytimes.com/ 2006/01/25/ technology/techspecial2/25essay.html.

The Times, is running two other articles on surveillance issues. In one, Jonathan Glater writes about software that allows people to send email messages that cannot be traced or to maintain an anonymous blog. "Privacy for People Who Don't Show Their Navels," http://www.nytimes.com/ 2006/ 01/25/technology/techspecial2/25privacy.html. In the other, Noah Shachtman writes about new video analysis software that can use cheap web-connected cameras to identify persons and objects. "Faces and license plates can now be spotted, in almost real time, at ports, military bases and companies," writes Schachtman, "Security perimeters can be changed or strengthened with a mouse click. Feeds from hundreds of cameras can be combined into a single desktop view. And videotape that used to take hours, even days, to scour is searched in minutes." "The New Security: Cameras That Never Forget Your Face," http://www.nytimes.com/2006/01/25/ technology/techspecial2/25video.html.

Guidelines on Removing Metadata

Documents created with popular programs such as Microsoft Word and Adobe Acrobat include embedded information called "metadata." The metadata may include information that you do not wish to share with the reader, such as the author's name, the date the document was created, or changes to the document and the name of the person who made the change. Though hidden in normal view, this information can easily be revealed. This is a special problem for the federal government when it releases documents, especially documents that have formerly been classified. The National Security Agency has issued guidelines to federal agencies on how to sanitize documents of metadata. "Redacting with Confidence: How to Safely Publish Sanitized Reports Converted From Word to PDF"NSA Issues 'Metadata' Guidelines for Agencies," http://www.fas.org/sgp/othergov/dod/nsa-redact.pdf

School District Begins Iris Scanning of Parents and Teachers

Parents who want to remove their children from an elementary school in the Freehold Borough School District during class hours are now required to submit to an iris scan to establish positive identification. Teachers and staff entering the school will also use the scans to gain entry to the school. "Iris Scanning For New Jersey Grade School," http://www.techweb.com/wire/networking/ 177103003;jsessionid=4K2MGNECPGE2QQSNDBCCKH0CJUMEKJVN

Plan for Compulsory ID Cards in the U.K. Defeated

The battle of national ID cards continues in the United Kingdom. Earlier this week, the House of Lord's voted to make the program voluntary and to require the government to obtain another Act of Parliament before ID cards could be made compulsory. The House of Commons had passed the legislation in June. "U.K. Lords Defeat Government Plan to Make ID Cards Compulsory," http://www.bloomberg.com/ apps/news?pid=10000102&sid=ascMXXONlNK4&refer=uk


January 26, 2006


Another Stolen Laptop – 230,000 Customer Records at Risk

The New York Times reports that the investment advisory firm Ameriprise Financial has released news that a laptop computer containing sensitive personal information about 230,000 customers was stolen from an employee's car. According to the Times, the computer stored unencrypted lists of reassigned customer accounts. Although the computer was password protected, the failure to encrypt the data violated Ameriprise's rules. The employee has been fired. "Ameriprise Says Stolen Laptop Had Data on 230,000 People," http://www.nytimes.com/2006/01/26/business/26data.html

FTC: Identity Theft the Number One Consumer Complaint in 2005

The Federal Trade Commission has released its annual report regarding consumer fraud and identity theft. The FTC received over 686,000 complaints in 2005. Of those, the number one complaint, which accounted for 37% of all complaints, was identity theft. The most frequent form of identity theft was credit card fraud, which accounted for 26% of the identity theft complaints, followed by phone and utilities fraud (18%) and bank fraud (17%). The full 77 page report is available at: "Consumer Fraud and Identity Theft Complaint Data," http://www.consumer.gov/sentinel/ pubs/Top10Fraud2005.pdf. The FTC Press Release, which summarizes the report, can be found at http://www.ftc.gov/opa/2006/01/topten.htm.

Google Criticized for Censoring Chinese Users

Google may be willing to stand up to the U.S. Department of Justice, which has subpoenaed Google search records, but it is being widely criticizing for yielding to pressure from the Chinese government to censor services offered in China. Less than a week after refusing to comply with the DOJ's subpoena, Google has launched a Google site in the Peoples Republic of China that will censor certain terms, but will advise users when it does so. In addition, Google will not offer blogging or e-mail chat rooms to the Chinese. Reporting on the story, the BBC quotes a press release from Reporters Without Borders: "Google's statements about respecting online privacy are the height of hypocrisy in view of its strategy in China." Yahoo and Microsoft already censor their Internet service in China. "Google move 'black day' for China," http://news.bbc.co.uk/1/hi/technology/4647398.stm. For the BusinessWeek Online story see, "Google's Dicey Dance in China," http://www.businessweek.com/technology/ content/jan2006/tc20060125_463123.htm.

Criticizing Google for being inconsistent is a bit unfair. In opposing the subpoena and in limiting its services in China, Google appears to be motivated by the same thing – its business interest rather than privacy. Adam Liptak, writing in today's New York Times, reports that even Google does not rely upon privacy rights in opposing the Department of Justice's subpoena. The issue, he says, "has almost nothing to do with privacy. It will turn, instead, on serious but relatively routine questions about trade secrets and civil procedure." Liptak notes that in a five page letter to the Justice Department in October, Google explained that it's primary objection was that "to comply with the request could endanger its crown-jewel trade secrets." "In Case About Google's Secrets, Yours Are Safe," http://www.nytimes.com/2006/01/26/technology/26privacy.html

Chinese Hackers Attack British Government

Chinese hackers targeted the British government in an attack launched on January 2, 2006. According to a story in ComputerWorld, the attack, which attempted to exploit a vulnerability in Windows, targeted 70 individuals working for the government, including researchers, secretaries, and members of Parliament. The targeted individuals were sent e-mails with an attachment that contained a Trojan horse. According to Computerworld, "Anyone opening this attachment would have enabled attackers to browse files, and possibly install a keylogging program to attempt the theft of passwords." The government's email filtering company managed to prevent any of the messages from getting through to their intended recipients. "China attacks U.K. government using Windows security hole Attack attempted to exploit Windows Metafile vulnerability," http://www.computerworld.com/ securitytopics/security/ story/0,10801,108037,00.html.

Standoff at the Library

Librarians at the Newton Free Library, in Newton, Massachusetts, refused to grant FBI agents access to library computers without a warrant. The issue arose when FBI agents were investigating a threatening email sent to Brandeis University. Twelve buildings on campus and a local elementary school were evacuated. Within three hours, the FBI had traced the email message to a computer at the Newton Free Library. But when they arrived at the library, the librarians would not grant them access to the computers until they obtained a warrant. "Terror threat sparks Newton librarian/FBI standoff," http://news.bostonherald.com/ localRegional/view.bg?articleid=122824


January 27, 2006


ChoicePoint Agrees to Pay $15 Million to Settle Claims Arising from Data Breach

The FTC announced a settlement with ChoicePoint, Inc., the data aggregator that disclosed a year ago that it had sold sensitive information about over 165,000 consumers to data thieves who posed as legitimate businesses. The FTC fined ChoicePoint, Inc., $10 million and required it to pay $5 million in damages to consumers. According to the FTC, 800 consumers were victims of identity theft following the data breach. In addition to making the monetary payments, ChoicePoint agreed to conduct visits of new and existing customers and to conduct security risk assessments and audits every two years for the next twenty years.

The FTC charged that ChoicePoint violated the Fair Credit Reporting Act by providing credit reports to people who did not have a permissible purpose to receive them and by failing to verify the identity of the entities to which it sold the credit reports. The FTC also charged that ChoicePoint violated the Federal Trade Commission Act by making false and misleading statements regarding its privacy policy and procedures. "ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress," http://www.ftc.gov/opa/2006/01/choicepoint.htm; "ChoicePoint to Pay $15M for Privacy Violations," http://blogs.washingtonpost.com/securityfix/2006/01/choicepoint_to_.html

Patient Records Stolen from Employee's Car

The records of 358,000 patients of Providence Home Services in Oregon and Washington were lost when a thief stole computer backup disks and tapes from an employee's car. According to the Seattle Times, the stolen information included patient names, addresses, dates of birth, insurance information, diagnoses, and Social Security numbers. The disks were in the car as part of the health service's backup program, which called for an employee to take them home each night. Reports the Times, "Providence said it will now treat backup data ‘like cash,' transporting it to a secure off-site location." Encrypting the data wouldn't be a bad idea either. "Patients' information stolen in 3 thefts," http://seattletimes.nwsource.com/html/ localnews/2002762444_recordtheft26m.html

Identity Theft Among Children Continued to Grow 2005

The Federal Trade Commission's annual report of consumer fraud and identity theft data shows that identity theft complaints involving children continued to grow in 2005. The FTC received 11,601 complaints concerning children under 18 in 2005, up from 9,595 in 2004, and 6,512 in 2003. The under-18 age group represented 5% of the total identity theft complaints received by the FTC in 2005. The 18-29 age group had the highest incidence of reported identity theft, accounting for 29% of identity theft complaints. Consumer Fraud and Identity Theft Complaint Data: January – December 2005 http://www.consumer.gov/ sentinel/pubs/Top10Fraud2005.pdf. For more information see, "Complaints rise about kids' stolen IDs," http://seattlepi.nwsource.com/ national/1155AP_Identity_Theft_Kids.html

Survey Shows Mixed Support for Warrantless Surveillance

The results of a poll conducted for the New York Times and CBS News appear to show that Americans are willing to allow the government to eavesdrop on terrorists without a warrant by not on "ordinary Americans." Fifty-three percent of those surveyed said they would tolerate warrantless wiretaps of "some phone calls . . . to reduce the threat of terrorism." Forty-six percent said they were opposed. When the same question was posed without a reference to terrorism, only 46 percent supported the statement and 50 percent opposed. And, when the question was rephrased to ask whether the respondent would be willing, "in order to reduce the threat of terrorism," to allow the government "to monitor the telephone calls and e-mail of ordinary Americans on a regular basis?," 70 percent said they would not. "New Poll Finds Mixed Support for Wiretaps," http://www.nytimes.com/ 2006/01/27/politics/27poll.html?hp&ex=1138424400&en=b93f38e07b4d88d0&ei= 5094&partner=homepage


Current and past issues of In the News are now available online at this link.


This message is provided by the Privacy and Information Security Taskforce at Warner Norcross & Judd LLP to advise you of recent developments in the law affecting privacy and data security. Because each business situation is different, this information is intended for general information purposes only and is not intended to provide legal advice on any specific facts and circumstances.

Warner Norcross & Judd LLP (www.wnj.com) is a full service law firm with four offices in Michigan. Our Privacy and Information Security Taskforce includes lawyers from across the firm's practice areas who work together to help businesses ensure the security of their information systems and electronic data and to assist businesses who have experienced a data breach to limit their liabilities and prosecute hackers and data thieves. For information about the Privacy and Information Security Taskforce at Warner Norcross & Judd LLP, e-mail Rodney Martin at rmartin@wnj.com or write him at Warner Norcross & Judd LLP, Suite 900, 111 Lyon Street NW, Grand Rapids, MI 49503.


"Privacy and Information Security In the News" is a free publication of Warner Norcross & Judd LLP and its Privacy and Information Security Taskforce. You can choose to receive it either daily (usually by 9 a.m. each weekday) or weekly (usually by 9.a.m. on Friday morning). If you would like to receive this publication, please respond to this e-mail and let us know the frequency at which you would like to receive it. If there are others in your organization who should receive "In the News," either include their names and e-mail addresses in your message or forward this message to them so they can respond.

Should you ever wish to stop receiving "In the News," simply click here to send us an email message and we will remove your name from the subscription list. Rest assured that we will not sell your contact information or share it with anyone outside our firm.

NOTICE. Although we would like to hear from you, we cannot represent you until we know that doing so will not create a conflict of interest. Also, we cannot treat unsolicited information as confidential. Accordingly, please do not send us any information about any matter that may involve you until you receive a written statement from us that we represent you.

By clicking the ‘ACCEPT’ button, you agree that we may review any information you transmit to us. You recognize that our review of your information, even if you submitted it in a good faith effort to retain us, and even if you consider it confidential, does not preclude us from representing another client directly adverse to you, even in a matter where that information could and will be used against you.

Please click the ‘ACCEPT’ button if you understand and accept the foregoing statement and wish to proceed.

ACCEPTCANCEL